INSTITUTO SUPERIOR TÉCNICO

Similar documents
ANALYSIS AND VALIDATION

Belkasoft Evidence Center 2018 ESSENTIALS TRAINING PROGRAM

INSTITUTO SUPERIOR TÉCNICO

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Contact Details and Technical Information

AccessData Advanced Forensics

24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.

Talking to the Tech Asking the Right Questions

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

Source:

OSForensics v5 Review by Jarno Baselier

Digital Forensics Lecture 01- Disk Forensics

10 th National Investigations Symposium

Windows Core Forensics Forensic Toolkit / Password Recovery Toolkit /

AccessData AD Lab Release Notes

Ed Ferrara, MSIA, CISSP

Lab #5 Guide: Installing Ubuntu as a Virtual Machine

AccessData Forensic Toolkit Release Notes

Windows Artifacts as a part of Digital Investigation

Operating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher

IT Essentials v6.0 Windows 10 Software Labs

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Windows Forensics Advanced

What's new 9 Magnet AXIOM 11 System requirements 12

Introduction to Computer Forensics

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:

Addendum Forensic Report for GOAA BP-S00132 Procurement

Manual Boot Camp Install Windows 8 From Usb Using

AccessData Forensic Toolkit 6.2 Release Notes

Binary Markup Toolkit Quick Start Guide Release v November 2016

Android Forensics: Simplifying Cell Phone Examinations

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Mac Os X Manually Mounted Usb Drive Read Only

Remote Device Mounting Service

AccessData Triage 2.3 Release Notes

Running head: FTK IMAGER 1

8 MANAGING SHARED FOLDERS & DATA

CIS Project 1 February 13, 2017 Jerad Godsave

Steganos Safe Professional th June 2007

CTEC1863/2018F Bonus Lab Page 1 of 5

Lab E2: bypassing authentication and resetting passwords

Digital forensics. Andrej Brodnik. Andrej Brodnik: Digital Forensics

bitcurator-access-webtools Quick Start Guide Last updated: May 8th, 2018 Release(s): and later

Report For Algonquin Township Highway Department

Your Own Virtual Playground. CS 1585 :: Doug McGeehan

Acknowledgments About the Authors

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

TestOut PC Pro - English 6.0.x COURSE OUTLINE. Modified

Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014

Analysis of Open Source and Proprietary Source Digital Forensic Tools

File Systems and Volumes

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

FTK Imager 2.9 Release Notes

Accession Procedures Born-Digital Materials Workflow

How To Install Windows Updates 8 From Usb

Introduction. Collecting, Searching and Sorting evidence. File Storage

CleanMyPC User Guide

KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015

Applied ICT Skills MS Windows

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

CSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems

The introduction of Windows 8 was a big change for Microsoft s traditional operating

Forensic Toolkit System Specifications Guide

ON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY

CIS Business Computer Forensics and Incident Response. Lab Protocol 03: Acquisition

AccessData FTK Imager

Virtual Appliance Deployment Guide

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

ECCouncil Computer Hacking Forensic Investigator (V8)

For this class we are going to create a file in Microsoft Word. Open Word on the desktop.

How To Install Windows Updates 8 From Usb

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

OXYGEN SOFTWARE OXYGEN FORENSIC KIT

Certified Digital Forensics Examiner

Chapter. Accessing Files and Folders MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER

AccessData Triage 2.4 Release Notes

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

Forensic Timeline Splunking. Nick Klein

Forensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A

Windows Password Reset 6.0 User Guide

Unit III: Working with Windows and Applications. Chapters 5, 7, & 8

Stellar Phoenix Mac Data Recovery

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Firmware Update Manual for Sony Cyber-shot digital still cameras

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

NetSupport Protect User Guide

Veritas System Recovery Disk Help

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Detecting the use of TrueCrypt

ABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further

TZWorks NTFS Copy Utility (ntfscopy) Users Guide

DLP GUIDE

Transcription:

INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide III & IV Case Solving: Mr. Informant Case 2015/2016 nuno.m.santos@tecnico.ulisboa.pt

1 Introduction The purpose of this task is to learn various types of data leakage and practice its investigation techniques using a simulated scenario. As part of this exercise, we provide digital evidence files which will be analyzed using forensic tools for Windows. For this reason, you will need to either setup a Windows virtual machine or use your own Windows computer as forensics platform. To set up a Windows forensics VM, download the corresponding appliance from /afs/ist.utl.pt/groups/csf/public/toolkit and import it into Virtual Box. Then, start up the VM. On the AFS directory /afs/ist.utl.pt/groups/csf/public/lab3-4 you will find forensic tools, digital evidence files, and file lab3-4_answers.pdf that will be required in this exercise. To perform this assignment entirely, it will take you two full lab classes. 2 Scenario overview Mr. Iaman Informant was working as a manager of the technology development division at a famous international company OOO that developed state-of-the-art technologies and gadgets. One day, at a place which Mr. Informant visited on business, he received an offer from Mr. Spy Conspirator to leak sensitive information related to the newest technology. Actually, Mr. Conspirator was an employee of a rival company, and Mr. Informant decided to accept the offer for large amounts of money, and began establishing a detailed leakage plan. Mr. Informant made a deliberate effort to hide the leakage plan. He discussed it with Mr. Conspirator using an e-mail service like a business relationship. He also sent samples of confidential information though personal cloud storage. After receiving the sample data, Mr. Conspirator asked for the direct delivery of storage devices that stored the remaining (large amounts of) data. Eventually, Mr. Informant tried to take his storage devices away, but he and his devices were detected at the security checkpoint of the company. And he was suspected of leaking the company data. At the security checkpoint, although his devices (a USB memory stick and a CD) were briefly checked (protected with portable write blockers), there was no evidence of any leakage. And then, they were immediately transferred to the digital forensics laboratory for further analysis. The information security policies in the company include the following: (a) Confidential electronic files should be stored and kept in the authorized external storage devices and the secured network drives. (b) Confidential paper documents and electronic files can be accessed only within the allowed time range from 10:00 AM to 16:00 PM with the appropriate permissions. (c) Non-authorized electronic devices such as laptops, portable storages, and smart devices cannot be carried onto the company. (d) All employees are required to pass through the Security Checkpoint system. (e) All storage devices such as HDD, SSD, USB memory stick, and CD/DVD are forbidden under the Security Checkpoint rules. In addition, although the company managed separate internal and external networks and used DRM (Digital Rights Management) / DLP (Data Loss Prevention) solutions for their information security, Mr. Informant had sufficient authority to bypass them. He was also very interested in IT (Information Technology), and had a slight knowledge of digital forensics. In this scenario, find any evidence of the data leakage, and any data that might have been generated from the suspect s electronic devices. CSF Lab Guide III & IV Page 2 of 8

3 Target systems and devices The table below lists the details of the target systems and devices. Some collected media were formated with exfat and UDF file systems. You can find more information about these file systems on the Web. Target Detailed Information Personal Computer (PC) Type Virtual System CPU 1 Processor (2 Core) RAM 2,048 MB HDD Size 20 GB File System NTFS IP Address 10.11.11.129 Operating System Microsoft Windows 7 Ultimate (SP1) Removable Media #1 (RM#1) Type USB removable storage device Serial No. 4C530012450531101593 Size 4 GB File System exfat Removable Media #2 (RM#2) Type USB removable storage device Serial No. 4C530012550531106501 Size 4 GB File System FAT32 Removable Media #3 (RM#3) Type CD-R Size 700 MB File System UDF * Authorized USB memory stick for managing confidential electronic files of the company. 4 Acquired data information The images presented next were collected for digital investigation. Note that investigators could not obtain a forensic image of removable media #2 (RM#2) due to privacy concerns. Image Details Personal Computer (PC) Files pc.dd.tgz-a? (8 files, total 7.1 GB compressed by gzip) DD Image Imaging S/W FTK Imager 3.4.0.1 Image Format converted from VMDK Removable Media #2 (RM#2) Files rm#2.dd.tgz (total 245 MB compressed by gzip) DD Image Imaging S/W FTK Imager 3.3.0.5 (write-blocked by Tableau USB Bridge T8-R2) Image Format DD Removable Media #3 (RM#3) Files rm#3-type2.dd.tgz (total 91.6 MB compressed by gzip) DD Image Imaging S/W FTK Imager 3.3.0.5 + bchunk (http://he.fi/bchunk) Image Format DD converted from RAW ISO + CUE * Authorized USB memory stick for managing confidential electronic files of the company. CSF Lab Guide III & IV Page 3 of 8

File name cfreds_2015_data_leakage_pc.dd.tgz-aa cfreds_2015_data_leakage_pc.dd.tgz-ab cfreds_2015_data_leakage_pc.dd.tgz-ac cfreds_2015_data_leakage_pc.dd.tgz-ad cfreds_2015_data_leakage_pc.dd.tgz-ae cfreds_2015_data_leakage_pc.dd.tgz-af cfreds_2015_data_leakage_pc.dd.tgz-ag cfreds_2015_data_leakage_pc.dd.tgz-ah cfreds_2015_data_leakage_rm#2.dd.tgz cfreds_2015_data_leakage_rm#3_type2.dd.tgz MD5 28d803c56899ae8859d2a681022a5351 a27989a58f05488dbb022ded6cb85ee8 1c36b22582ee426ae6db9e37fdd501a0 f543787ade097aca03bdb6346212caee 8bdb3ba90f2dd540956405bbeadce252 20ae244fb10fccdbd6d14557f672f270 833658c4088544712af0ab7ccea57dc6 70fbe38354e5e54456721e1880bc57d4 8f63bb871de606202324aa4385431fc6 8890af7097949848bdc45d4b228c3127 5 Digital forensic practice points The following table presents a summary of detailed practice points related to above images. Practice point Understanding types of data leakage Windows forensics File system forensics Web browser forensics E-mail forensics Database forensics Deleted data recovery User behavior analysis Description > Storage devices: HDD, SDD, USB flash drive, -> flash memory cards, CD/DVD (with Optical Disk Drive) > Network Transmission: File sharing, Remote Desktop Connection, -> E-mail, Social networks, cloud services, messenger > Windows event logs > Opened files and directories > Application (executable) usage history > CD/DVD burning records > External devices attached to PC > Network drive connection traces > System caches > Windows search databases > Volume shadow copy > FAT, NTFS, UDF > Metadata (NTFS MFT, FAT directory entry) > Timestamps > Transaction logs (NTFS) > History, cache, cookie > Internet usage history (URLs, search keywords... ) > MS Outlook file examination > E-mails and attachments > MS Extensible Storage Engine (ESE) Database > SQLite Database > Metadata based recovery > Signature & content based recovery (aka carving) > Recycle bin of Windows > Unused area examination > Constructing a forensic timeline of events > Visualizing the timeline 6 Forensic tools Unfortunately, some of the best forensic tools for Windows are not freely available. For this reason, the tools we will use are not ideal. Although some of the most appropriate ones for this assignment can be found on the AFS directory /afs/ist.utl.pt/groups/csf/public/lab3-4/tools, you may need to CSF Lab Guide III & IV Page 4 of 8

search for additional tools online. Make sure that the tools distributed in today s lab AFS directory are installed on your target forensics platform, i.e., either the Windows forensic VM or your own Windows computer. At least, install Autopsy, OSFMount, and OSForensics. 7 Questions Answering the following questions will help you solve this case. These questions have several difficulty levels and demand specific background knowledge. We recommend you to start by answering the questions of level L1. Then move on to questions L2 and finally L3. Try to answer each question by yourself. Use the tools that we recommend above and search for any other material that can help you in this task (e.g., slides from the theory classes, material available online, etc.). Feel free to install additional tools if you find that the recommended ones are not sufficient to obtain all the information you need from the evidence files. If you are stuck in some question and can t make progress, take a look at the answer sheet in file lab3-4_answers.pdf. We are aware that this is a complex case and that you might need some help. But do that only in last resort! The whole fun of this exercise is to find the evidence by yourself. Make notes and create a timeline of events right from the first questions. That will help you to build up a picture of what has happened as you proceed. Good luck! 1. (L1) What are the hash values (MD5) of all images? Does the acquisition and verification hash value match? 2. (L1) Identify the partition information of PC image. [Hint: use Autopsy.] 3. (L1) Explain installed OS information in detail. (OS name, install date, registered owner... ) [Hint: mount the PC image with OSFMount, and inspect the Registry using OSForensics.] 4. (L1) What is the timezone setting? [Hint: inspect the Registry.] 5. (L1) What is the computer name? 6. (L1) List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService, NetworkService. (Account name, login count, last logon date... ) 7. (L1) Who was the last user to logon into the PC? 8. (L1) When was the last recorded shutdown date/time? 9. (L1) Obtain information of network interface(s) with an IP address assigned by DHCP. [Hint: inspect the Registry.] 10. (L1) What applications were installed by the suspect after installing the OS? 11. (L1) List application execution logs. (Executable path, execution time, execution count... ) [Hint: inspect the UserAssis from the Registry, and the Windows Prefetch folder.] 12. (L1) List all traces about the system on/off and the user logon/logoff. (It should be considered only during a time range between 09:00 and 18:00 in the timezone from Question 4.) [Hit: read the Windows Event Log using the event viewer of the ProDiscover tool.] 13. (L2) What web browsers were used? 14. (L2) Identify directory/file paths related to the web browser history. [Hint: for all relevant browsers identify the directories where are stored the browsing history, cache, and cookies.] 15. (L2) What websites were the suspect accessing? (Timestamp, URL... ) [Hint: inspect the content of the relevant directories found from the previous question.] CSF Lab Guide III & IV Page 5 of 8

16. (L2) List all search keywords using web browsers. (Timestamp, URL, keyword... ) [Hint: inspect the web browser logs.] 17. (L1) List all user keywords at the search bar in Windows Explorer. (Timestamp, Keyword) [Hint: inspect the Registry.] 18. (L1) What application was used for e-mail communication? [Hint: check the Registry.] 19. (L2) Where is the e-mail file located? 20. (L2) What was the e-mail account used by the suspect? 21. (L2) List all e-mails of the suspect. If possible, identify deleted e-mails. (You can identify the following items: Timestamp, From, To, Subject, Body, and Attachment) [Hint: just examine the OST file only.] 22. (L1) List external storage devices attached to PC. 23. (L3) Identify all traces related to renaming of files in Windows Desktop. (It should be considered only during a date range between 2015-03-23 and 2015-03-24.) [Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore, you may not be able to find their full paths. Possible sources: NTFS journal file analysis ($UsnJrnl), \$Extend\UsnJrnl- $J + $MFT for identifying full paths of files. You can consider the Registry ShellBags for further information and the Windows Search database, which is used in Question 46.] 24. (L1) What is the IP address of company s shared network drive? [Hint: check the Registry.] 25. (L3) List all directories that were traversed in RM#2. [Hint: make use of the information about external storage devices attached to PC in Question 22. Inspect the ShellBag.] 26. (L3) List all files that were opened in RM#2. [Hint: use information from Question 2, and inspect the JumpList and the ShellBag.] 27. (L3) List all directories that were traversed in the company s network drive. [Hint: inspect the JumpList, the ShellBag, and LNK files recently opened mentioned in the Registry.] 28. (L3) List all files that were opened in the company s network drive. [Hint: same as previous question.] 29. (L1) Find traces related to cloud services on PC. (Service name, log files... ) [Hint: find evidence in Google Drive s installation directory and Registry: Configuration, Uninstall Information, Autoruns, UserAssist, Classes... ] 30. (L3) What files were deleted from Google Drive? Find the filename and modified timestamp of the file. [Hint: find a transaction log file of Google Drive.] 31. (L3) Identify account information for synchronizing Google Drive. 32. (L2) What a method (or software) was used for burning CD-R? [Hint: check if third-party software or default CD/DVD features were used. Learn the two burning types supported by Windows. Inspect the Windows Event Log, the Registry, and the NTFS journal file for more clues.] 33. (L3) When did the suspect burn CD-R? [Hint: it may be one or more times.] 34. (L3) What files were copied from PC to CD-R? [Hint: just use PC image only. You can examine transaction logs of the file system for this task.] 35. (L2) What files were opened from CD-R? [Hint: study the JumpList and LNK files.] 36. (L1) Identify all timestamps related to a resignation file in Windows Desktop. [Hint: the resignation file is a DOCX file in NTFS file system. Check the attributes of the corresponding NTFS MFT Entry.] CSF Lab Guide III & IV Page 6 of 8

37. (L1) How and when did the suspect print a resignation file? [Hint: look up for installed printers in the system.] 38. (L1) Where are Thumbcache files located? 39. (L1) Identify traces related to confidential files stored in Thumbcache. (Include 256 only) [Hint: open the thumbcache files found previously.] 40. (L1) Where are Sticky Note files located? [Hint: learn about Sticky Note files on the Web.] 41. (L1) Identify notes stored in the Sticky Note file. 42. (L2) Was the Windows Search and Indexing function enabled? How can you identify it? If it was enabled, what is a file path of the Windows Search index database? [Hint: check the Registry.] 43. (L2) What kinds of data were stored in Windows Search database? [Hint: open the Windows Search database using a tool that reads.edb files.] 44. (L2) Find traces of Internet Explorer usage stored in Windows Search database. (It should be considered only during a date range between 2015-03-22 and 2015-03-23.) 45. (L2) List the e-mail communication stored in Windows Search database. (It should be considered only during a date range between 2015-03-23 and 2015-03-24.) 46. (L2) List files and directories related to Windows Desktop stored in Windows Search database. (Windows Desktop directory: \Users\informant\Desktop\) 47. (L3) Where are Volume Shadow Copies stored? When were they created? [Hint: find a meaningful directory in the root directory.] 48. (L3) Find traces related to Google Drive service in Volume Shadow Copy. What are the differences between the current system image (of Question 29-31) and its VSC? 49. (L3) What files were deleted from Google Drive? Find deleted records of cloud_entry table inside snapshot.db from VSC. (Just examine the SQLite database only. Let us suppose that a text based log file was wiped.) [Hint: DDL of cloud_entry table is as follows.] CREATE TABLE cloud_entry (doc_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER, doc_type INTEGER, removed INTEGER, size INTEGER, checksum TEXT, shared INTEGER, resource_type TEXT, PRIMARY KEY (doc_id)); 50. (L3) Why can t we find Outlook s e-mail data in Volume Shadow Copy? [Hint: find more information about Volume Shadow Copy online.] 51. (L1) Examine Recycle Bin data in the PC. [Hint: deleted files from an emptied Recycle Bin might be recovered by metadata-based data recovery.] 52. (L3) What actions were performed for anti-forensics on PC at the last day 2015-03-25? [Hint: combine information from most of the previous questions.] 53. (L1) Recover deleted files from USB drive RM#2. [Hint: use a file carving tool.] 54. (L1) What actions were performed for anti-forensics on USB drive RM#2? [Hint: this can be inferred from the results of Question 53.] 55. (L3) What files were copied from PC to USB drive RM#2? [Hint: this can be inferred from the results of deleted data recovery in Question 53 and from the results of traversed files/directories in Question 25 and 26.] CSF Lab Guide III & IV Page 7 of 8

56. (L2) Recover hidden files from the CD-R RM#3. How to determine proper filenames of the original files prior to renaming tasks? [Hint: use file carving and metadata based data recovery tools.] 57. (L2) What actions were performed for anti-forensics on CD-R RM#3? [Hint: this can be inferred from CD-R image examination.] 58. (L3) Create a detailed timeline of data leakage processes. 59. (L3) List and explain methodologies of data leakage performed by the suspect. 60. (L3) Create a visual diagram for a summary of results. CSF Lab Guide III & IV Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback